Cause Points Analysis for Effective Handling of Alarms

Static analysis tools are widely used in practice to improve the quality and reliability of software through early detection of defects. However, the number of alarms generated is a major concern because of the cost incurred in their manual inspection required to partition them into true errors and false positives. In this paper, we propose a static analysis to identify the causes of alarms generated by a client static analysis. This simplifies the manual inspections and reduces the cost involved. The proposed analysis involves the following: (1) modeling the basic reasons for alarms as alarm cause points of several types, (2) ranking these cause points based on three different metrics, (3) a workflow in which a user answers queries about the cause points and the answers are used in subsequent round of the client analysis. The collaboration between the user and the client analysis helps the tool to resolve the unknowns encountered during the analysis and weeding out the alarms. It also helps the user expedite the manual inspections of alarms. Further, the ranking of cause points helps to prioritize the alarms. Our experimental evaluation in several settings demonstrated that the proposed approach (a) reduces manual effort by 23% to 72% depending on various parameters, with an average reduction of 42%, and (b) is also effective in identifying the alarms that are more likely to be true errors.

[1]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[2]  Xavier Rival,et al.  Abstract Dependences for Alarm Diagnosis , 2005, APLAS.

[3]  Sarah Smith Heckman,et al.  A Model Building Process for Identifying Actionable Static Analysis Alerts , 2009, 2009 International Conference on Software Testing Verification and Validation.

[4]  Westley Weimer,et al.  Clustering static analysis defect reports to reduce maintenance costs , 2013, 2013 20th Working Conference on Reverse Engineering (WCRE).

[5]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[6]  William Pugh,et al.  Using checklists to review static analysis warnings , 2009, DEFECTS '09.

[7]  Ciera Jaspan,et al.  Tricorder: Building a Program Analysis Ecosystem , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[8]  David Monniaux,et al.  A Simple Abstraction of Arrays and Maps by Program Translation , 2015, SAS.

[9]  Lucas Layman,et al.  Toward Reducing Fault Fix Time: Understanding Developer Behavior for the Design of Automated Fault Detection Tools , 2007, First International Symposium on Empirical Software Engineering and Measurement (ESEM 2007).

[10]  Khoo Yit Phang,et al.  Triaging Checklists : a Substitute for a PhD in Static Analysis , 2009 .

[11]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[12]  Yunzhan Gong,et al.  Diagnosis-Oriented Alarm Correlations , 2013, 2013 20th Asia-Pacific Software Engineering Conference (APSEC).

[13]  Sam Blackshear,et al.  Almost-correct specifications: a modular semantic framework for assigning confidence to warnings , 2013, PLDI 2013.

[14]  Raoul Praful Jetley,et al.  Static analysis of medical device software using CodeSonar , 2008, SAW '08.

[15]  Isil Dillig,et al.  Automated error diagnosis using abductive inference , 2012, PLDI.

[16]  Tukaram Muske Improving Review of Clustered-Code Analysis Warnings , 2014, 2014 IEEE International Conference on Software Maintenance and Evolution.

[17]  Murali Krishna Ramanathan,et al.  Efficient Incremental Static Analysis Using Path Abstraction , 2014, FASE.

[18]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software , 2002, The Essence of Computation.

[19]  Kwangkeun Yi,et al.  Sound Non-statistical Clustering of Static Analysis Alarms , 2012, VMCAI.

[20]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[21]  Xin Zhang,et al.  A user-guided approach to program analysis , 2015, ESEC/SIGSOFT FSE.

[22]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[23]  David A. Schmidt,et al.  The Essence of Computation , 2002 .

[24]  Xavier Rival,et al.  Understanding the Origin of Alarms in Astrée , 2005, SAS.

[25]  Tukaram B. Muske,et al.  Review efforts reduction by partitioning of static analysis warnings , 2013, 2013 IEEE 13th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[26]  Shuvendu K. Lahiri,et al.  Angelic Verification: Precise Verification Modulo Unknowns , 2015, CAV.

[27]  Sarah Smith Heckman,et al.  A systematic literature review of actionable alert identification techniques for automated static code analysis , 2011, Inf. Softw. Technol..

[28]  Andrei P. Ershov The Essence of Computation , 1978, Lecture Notes in Computer Science.

[29]  Patrick Cousot,et al.  Automatic Inference of Necessary Preconditions , 2013, VMCAI.

[30]  Prasad Bokil,et al.  On implementational variations in static analysis tools , 2015, 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[31]  Isil Dillig,et al.  Reasoning about the unknown in static analysis , 2010, Commun. ACM.

[32]  Vibha Sazawal,et al.  Path projection for user-centered static analysis tools , 2008, PASTE '08.

[33]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[34]  S. V. Subrahmanya,et al.  A Survey of Enterprise Software Development Risks in a Flat World , 2007, ESEM 2007.

[35]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).